Data security is rapidly becoming the most important, and potentially limiting, factor in the field of data processing. While the emergence of portable data, “cloud computing,” and other forms of distributed data processing and data sharing have the potential to provide truly revolutionary and paradigm shifting advances in human activity, the current inability to provide adequate levels of data security has prevented the realization of the full potential of these advances and capabilities.
Currently, many applications, individuals, and user entities, require access to data that is ultimately stored in one or more physical and/or virtual data source devices, herein referred to as storage containers. Storage containers often include sensitive data representing very sensitive information such as financial and identification information. Consequently, before allowing any applications, entities, and/or individuals access to data contained in storage containers, it is highly desirable that the data be made as secure as possible.
To this end, vast amounts of time, energy, and resources have historically been devoted to security measures for securing data in storage containers. One common current approach to securing sensitive data is to encrypt the data in the storage container. However, currently, an entire storage container, or data source, is typically encrypted with a single encryption key. This type of encryption is referred to herein as “full disk” or “whole disk” encryption.
As noted, using full disk encryption, all the data in an entire storage container is encrypted using a single encryption key. While this approach is arguably efficient in terms of the time, energy and resources required to provide the encrypted data, full disk encryption has several long standing and well known drawbacks. First, using full disk encryption, once the encryption key is determined, and/or the data is accessed by other means, all the data in the storage container is then accessible. That is to say, using full disk encryption, once an unauthorized party or entity finds a way to access any data in the storage container, all data in the storage container becomes accessible and once the data is unlocked (decrypted) any user can potentially access all of the data in the data store. Thus, using full disk encryption, a single security breach can provide a malicious actor access to all of the data in the entire storage container.
An additional drawback to full disk encryption is that a privileged user, such as an administrator, root user, or other special permissions user can easily and even accidentally obtain access to sensitive data. In typical systems, giving a privileged user the ability to properly administrate the system automatically gives the privileged user access to sensitive data stored in storage containers, regardless of whether there is a need, or even explicit authorization, to access the sensitive data. While privileged user status is often necessary in various computing environments, it is also desirable to limit the privileged user's ability to access sensitive data.
As noted, despite these long standing technical problems with full disk encryption methods, full disk encryption is still the most widely used storage container/data source encryption method. This is primarily due to the fact that, currently, methods and systems for providing better encryption and access controls for storage containers and data sources have proven elusive, inefficient, and often ineffective.
What is needed is a technical solution to the long standing technical problem of providing enhanced security and access controls to data in storage containers/data sources that is effective and can be efficiently implemented in existing architectures and operating systems.